[Turbofan] Fixes crash on missing BigInt.asUintN argument

Bug: chromium:1029576 Change-Id: If647f764da2682a0f278b9b8060d0665fab1c40c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1948711 Commit-Queue: Georg Neis <neis@chromium.org> Auto-Submit: Nico Hartmann <nicohartmann@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#65312}
2019-12-03 15:52:17 +01:00 · 2019-12-03 15:52:17 +01:00 · e76d29b35e
commit e76d29b35e
parent d406c672bc
2 changed files with 20 additions and 1 deletions
--- a/src/compiler/js-call-reducer.cc
+++ b/src/compiler/js-call-reducer.cc
@ -7609,7 +7609,7 @@ Reduction JSCallReducer::ReduceBigIntAsUintN(Node* node) {
  if (p.speculation_mode() == SpeculationMode::kDisallowSpeculation) {
    return NoChange();
  }
-  if (node->op()->ValueInputCount() < 3) {
+  if (node->op()->ValueInputCount() < 4) {
    return NoChange();
  }

--- a/test/mjsunit/regress/regress-1029576.js
+++ b/test/mjsunit/regress/regress-1029576.js
@ -0,0 +1,19 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f() {
+  try {
+    return BigInt.asUintN(8);
+  } catch(_) {
+    return 42n;
+  }
+}
+
+%PrepareFunctionForOptimization(f);
+assertEquals(42n, f());
+assertEquals(42n, f());
+%OptimizeFunctionOnNextCall(f);
+assertEquals(42n, f());